Gary McKinnon's legal team said they will take their fight against his extradition all the way to the European Court of Human Rights on Monday, as the highest court in England began deliberations on whether to turn him over to US authorities.
The London hacker now faces an anxious wait for the judgment on his latest appeal, …

What is surprising, is

Can anyone remember what exactly was compromised

Wasn't this a case of someone trying to gain entry to US military computer systems, the entry detected and the Pentagon securing up their systems and counting the cost of that securing up as the cost of the intrusion?

I thought he was looking for proof of UFOs, and just used some basic Perl scripts to try and gain entry. Now if the Pentagon wish to say that their sensitive data is kept on the perimeter then that is a failing, but I am sure they are not that daft.

This is a bit of a storm in a teacup really, and posturing by the US on the tough crackdown on cybercrime, but his crime was one of curiosity, a prison term doesn't seem justified, but something else should be done to act as a deterrent.

Community service does appear to have been on the table to begin with, and that is probably appropriate. The admins of these systems do need to take some responsibility in ensuring security, not just rely on the law as the stopper, which is a bit lazy for all of society. Had it been a malicious crack attempt, then it looks like they could have caused some damage.

Makes a change

Poor Guy

Waiting all this time for the slow court system. I hope he wins his extradition case and this country full of corrupt officials who are embarrassed at how easily he got in don't get their hands on him.

Two issues

First, let me say I don't agree with the pressure the US government is exhibiting in this case compared to other similar cases. It's obvious to me they're just looking to make an example of him. Having said that, I do have two issues:

First, The US has every right to say (paraphrased) "Take our deal or all bets are off". They are under no obligation to offer a plea bargain. They have every right to go after him to the full extent of the law. I have no doubt they used dirty tactics in attempts to get him to plead guilty, but they have every right to say "all bets are off" and seek the maximum penalty, just as the prosecution does in every other case.

Second, these next two sentences are mutually exclusive: "McKinnon has admitted taking advantage of lax security in US systems to install covert software that gave him control of settings and access to files... He has not admitted causing hundreds of thousands of dollars of damage..." If he admitted to installing software, then he admitted to causing damage. What, does he (and his legal team) think the computers magically cleaned themselves of his malware? Depending on the number of systems he infected, it could very well have been hundreds of thousands of dollars to clean up his mess (especially with the pork government contracts get). It takes time to clean a system and verify/validate it is infection-free, and that time costs money.

Lastly, this is nothing he did not already know when he chose to perform these acts. He knew the risks, and he went ahead anyway, probably using the all-too-common thinking of "it won't happen to me". Well, it did. He got caught, and now he has to take responsibility and accept the consequences.

Hopefully...

... this case might see the end of the shameful extradition treaty between the UK and the US where they can say "We want to extradite this person and we don't have to offer you any evidence, but if you want one of our citizens, you'll have to show you have a reason to do so!"

@Clare Montgomery QC

"as he hacked into American computers that he was committing an act that would have had repercussions in America."

So by their logic, things that the US do that may have repercussions in the United Kingdom can be punished under our local laws- such as rendition flights landing on our soil. That made us a more "legitimate" target for terrorists than ever and given that the threat is so grave- or at least that's what the Americans tell us- could be extrapolated to encouraging terrorism in the UK.

Or that they could be punished under the Iraqi laws they broke while still invading before they forcibly removed the legitimate ruler of that area. Which I can't believe is not against international law, misinterpreted UN resolution or not.

Gary McKinnon committed a crime, yes. And yes, he should be punished. But there appears to have been no malice in what he did and I cannot believe that he caused the amount of damage the US are claiming- not to mention the ridiculous levels of downtime they claimed at the time.

Should he be sent to the 'states (where the mayor of NYC iirc said he'd see McKinnon "burn for this")? Absolutely not. It's not safe and any punishment would be a political showcase rather than a fitting way of atoning for what he had done.

Should he be incarcerated? No- he poses no actual threat to society so it's not a suitable punishment.

Should he be fined and banned from the Internet for a set period of time (say 5 years), prevented from buying an internet-enable-able phone or taking a job where it would be necessary? I think it would be a good PR stunt and would probably be a better way of warning people that being a cracker is probably not the best career move.

And imagine the indirect fine and punishment he would face- a [former] sys admin with all of that experience and all of that skill going to waste. Not being able to get an IT job for years afterwards or even keep himself up-to-date with the world of computing (devaluing what skills he had). That would be the worst punishment of all.

And on principle we shouldn't hand him over to the Americans anyway as they're trying to shove us around. We should stand resolute and tell them "no more". This is another one of those things that I'd not mind some of my tax money going to.

Adam Foxton

So by their logic, things that the US do that may have repercussions in the United Kingdom can be punished under our local laws- such as rendition flights landing on our soil. That made us a more "legitimate" target for terrorists than ever and given that the threat is so grave- or at least that's what the Americans tell us- could be extrapolated to encouraging terrorism in the UK.

its not may it did. So if hired a Hit man to kill princess Diana in the US but he kills her in the UK , you would be content for me to be tried in the US ??

the real question is

@Adam Foxton

As a US citizen, I couldn't agree more except possibly about the amount of damage. It's difficult and time-consuming (and thus costly) to verify a system is secure after an infection has been removed. In order to accurately determine a non-infected status, you have to verify and account for every single file (and possibly/probably, on Windows systems, every single registry key). Really, the only safe way to do it is to back up your data files, wipe the system, reload the OS, drivers, and apps, and restore the data files. Of course, that still might be problematic because registry keys would be lost (which is the primary reason I hate the registry and wish we never strayed from .ini files). That'll take some time and cost some money. I don't know how many systems he infected, but it could easily cost $500-1000 per system using standard service rates. Adjust those rates for the government pork factor, and I wouldn't be surprised if it cost $2500-5000 per system.

@AC re: "Can anyone remember what exactly was compromised"

Please read the article before commenting. The article clearly said what he did (cracked into systems and installed software allowing him to change settings and access files) and what he claimed his reason was (looking for evidence of UFOs). As I explained above, cleaning that up will cost quite a bit, especially if it was many systems. Also, please understand that where sensitive data is kept is completely irrelevant. Once a system is compromised, you need to remove the infection and return the system to a secure status. This is true if it's an internal system with sensitive data and if it's a kiosk system in the lobby used to log in visitors. You can't say "Well, this system doesn't have sensitive data on it, so it's OK to leave it compromised". Similarly, the data kept on the system should have no bearing on the punishment. Cracking into a government system should carry the same punishment regardless of its purpose or network address.

Pass the blame

The problem is, it's not his fault. If you take the front door off your house or dont bother to have one in the first place and someone enters your house and places cameras in it, you can't get them to pay for a new front door or to pay to search for cameras. It was the resposability of the US GOV to ensure there was a door in the first place.

Ok, your not buying this, lets put it another way, your in a pub and for no fault of your own, you get into a fight. Do you think you can sue the other person for the cost of now wanting bodyguards to ensure you don't get hurt again?

I agree they can sue for damages but thats not what they are doing, they want to hide their incompatence at the expence of others, the UK & US taxpayers.

Two other things 1) why hasn't anyone in the US been fired and 2) why didn't our govenmeant pass an amendmeant saying this treaty would only come into effect when the US agreeded.

I remember when this was first reported (the agreemeant). Very clear where the ruling class are taking our country.

No problem with the US wanting to procecute.

This guy is bang to rights, he has done what he is being accused of, and cleaning up after him will cost money. Mind you if he's any good perhaps the US should consider a community service punishment and make him work for them for a while.

Where I have problems is that US law always seems to be about vengeance and not justice, so why should we extradite anyone to that kind of barbaric legal system.

Not only that, WTF are we doing honouring a one sided treaty, the law lords should just say come back when you ratify the treaty then you can have him.

Perhaps one thing we should take to the court of human rights is the right of any signatory to extradite to a non-signatory.

@AC

"So if hired a Hit man to kill princess Diana in the US but he kills her in the UK , you would be content for me to be tried in the US ??"

Logically, in your example you should be tried in the US for hiring the killer and plotting to assassinate (and if successful, causing the death of) princess Diana, while the contract killer (if caught) should be tried for murder in the UK.

Seems quite obvious.

McKinnon, may have caused damages in the US, but (still allegedly) committed the crime in the UK.

@AC to me

Entirely the opposite- by their logic, if you hired a hit man in the US to kill someone in the UK you'd be committing an offence under UK law because it affects us rather than under US law (Where the actual offence was committed).

McKinnon broke the law on UK soil. So he should be tried and if neccessary punished in accordance with UK law. He'd be punishable under US law if he was on US soil (say, an embassy or in the US itself).

Alternatively if the US would care to ratify the no-evidence-required extradition treaty we could get around to extraditing anyone over there who's sold weapons to or trained the Terrorists. Or stirred them up in a way that affects us.

Exactly Nigee

I wrote my MP (Labour) asking why the hell Blair was in such a hurry to pass this bloody treaty when there were (and still aren't) any signs of reciprocity? Regardless of the location of the systems involved, given the draconian prison sentences passed down in the States for minor crimes to help fuel the massive prison industry over there, the man should be tried here in the UK and that treaty ripped up.

The States would NEVER pass such a treaty because it's bloody unconstitutional over there -- why did we?

Just think of the UK as Americas pet puppy..

Relatively harmless but finally figuring out that the easiest way to avoid getting a slap on the nose with a rolled up paper is to just do as its master commands.

Sorry to be so .. honest .. but the truth is the UK has long ago lost the will to make its own decisions in its relationship with the US and from all the yanks I have ever met one thing is clear ... they see the UK as their ..<insert derogetory comment here>.. and they would be truely shocked if the UK were ever show some backbone.. After all the UK may as well be the 51st state.

US...

@Chris C

For your first point you will find that this, if true, is unlawful in the UK and could be cause for refusing extradition. The UK, although agreeing to unilaterally hand over people to the US without prima facie evidence (i.e.. at least some evidence that a crime has been committed and that the person named is a valid suspect) does retain some rights of refusal.

As a particular example the extradition rules forbid any UK citizen being sent to a country where they may or will face the death penalty.

In this case applying undue pressure on a suspect to ease the extradition process is expressly forbidden. Should it be proven (or at least believed) that the US prosecutors tried to apply undue pressure on McKinnon then the Law Lords would b well within their rights to refuse extradition, as well they should.

For your second point, and this is admittedly a little nit-picky the statements are not mutually exclusive. McKinnon does not deny causing damage, he denies causing that much damage.

Remember that the figures quoted by the US authorities suspiciously fall just the high side of an amount where under is a petty crime with only a slap-wrist permissible as punishment whereas above that is a serious crime that can be punished with hundreds of years in prison and millions of dollars of fines.

@jurisdiction issue

Surely, if you are going to try and compare hacking a system in another country with something else. You need to take an example where your action in one country has an effect in another that is illegal by the law of that country.

As an example, if I was in America and fired a gun, and that bullet went over the boarder and killed someone in Canada, in which country did I commit murder? If you can answer that, then you surely have the same answer as for hacking.

Of course this could get very confusing, as in theory you could broadcast a programme in Belgium that would be considered an offence to show in France, and if your signal is receivable in France are you a criminal?

if i remember...

...and im sure someone will correct me if im wrong. he had some software which scanned subnets for systems that had no Administrator password set. he found several on the us mil domains and jumped into these machines. he has claimed that when he got into nasa's system he did find evidence of ufo's. if i recall he also had a conversation with someone at the pentagon and had to pretend he was tech support fixing an issue on the machine. to be honest i really dont see how he caused any damage. its the us govs fault for not securing stuff. i compare this to the new regulation on the bankers code that state " if you dont have a decent firewall anti virus software and anti spyware and you get frauded its your own fault" and thus the same with someone poking around your network!

facing the music

If your going to deliberately hack into anybody’s computer systems you must know what the consequences for that are, there are cases going back many, many years where hackers received very severe sentences especially in the US for exactly this. Now with that in mind he hacks into the Pentagon!!? If he doesn’t spend a decent amount of time inside for this deliberate criminal act then what is the deterrent for future attacks like this.

Yes I’m sure the US is embarrassed that he managed it and so they should be but that does not excuse what he did. I have some sympathy for him but he’s not daft he knew the risks and now he must face the consequences if he really didn’t realise what he was doing then maybe he deserves a reduced sentence up for debate but like I said he’s not daft is he?

I think the fact they are discussing less than ten years with the probability of being transferred to the UK, frankly I think he’ll be getting off lightly.

Extradition

Here in the U.S. we don't/very rarely extradite our citizens. I think you should talk to your government and see why they are so willing to fly you off to another country for punishment. That a pretty weak government and a pretty weak people that let that happen to them. Too bad.

Civil rights

Jeez, this would have never happened if there had been CCTV installed in every house in the country to watch over these vicious bastards. By having cameras in every room we'd ensure that nothing bad was happening and this evil genius couldn't carry out his horrific hacking skills.

Ship him off to some sweat box in a Texas Jailhouse and let the Pentagon get on with dealing with those radical Iraqi militant muslim crazies and the new Iranian enemy. We've got a war on terror guys, our governments have to do everything in their new powers to protect us.

Extradition Process

My understanding ot the process (and IANAL) is that the only way a British citizen can be extradited to the US using that farce of a treaty, is if there is no comprable charge that he can be tried with in the UK. The UK has some pretty strict hacking laws, and at least some of the crime was committed in the UK. He can be tried in the UK and should be. I'm fed up of us Kow-towing to the Americans when they do nothing for us in return, and in fact hinder us.

@richard

I read an interview with him last year, apparently he did find something, he didn't elaborate, just described it as "crazy sh1t". Make of that what you will, I'm staying open minded (while preparing my "Welcome Alien Overloads" banner, just in case)

He's done the US a favour

If a script kiddie can crack the Pentagon's security from his bedroom in Crouch End he has done them a favour by showing themhow crap their security is. If he is to be punished for damaging the military he should be sent to Russia or China as they are now finding it harder to to hack the Pentagon themselves.

He should not be handed over to a bunch of vindictive numbnuts who have been shown to be the fools that they are.

Sorry but he hasn't "done what he was accused of"

Presumably the USA's legal system still operates under the archaic principle of innocent until proven guilty? Let me say that I unequivocally reject the sham treaty under which this extradition attempt is being pursued. It makes a hollow mockery of our democratic traditions.

Please can someone specifically state the nature of the damage he is alleged to have caused? Of course, in McKinnon's case, I suspect that the US authorities may have exaggerated the "damage" in order to justify his extradition.

There are interviews with McKinnon in which he claims to have viewed hi-res satellite pix of large, copper-coloured, cigar-shaped craft. I think he found what he was looking for. That could be the reason the damages have been inflated.

An interview with Gary McKinnon is available here http://www.projectcamelot.org/gary_mckinnon.html

@richard - did he find any alien evidence or what?

An account I read described his download of a low-res movie of a spaceship, and what looked like a hand moving it away (hardly evidence of aliens). More than anything else it seemed to me that he had stumbled into a honeypot designed to catch UFO afficionados. He happened to be rather more adept than they expected, which must have been a bit embarrassing.

Something like this happened to me in 1985...

...I found an open dial-in modem attached to a Unisys mainframe operated by a large British utility company. I spent a couple of weeks playing around looking at interesting stuff, didn't damage anything, got bored and didn't dial in again for about a month.

The Police kicked in my parents front door at 3 am one Wednesday morning and took me away for questioning. I was accused of working for the KGB because 'no 15 year old kid could have broken into a secure computer like that without specialist training'. I spent 3 days being interrogated by unnamed men in dark suits until the QC my parents hired finally got in to see me. He convinced the guys questioning me that it would be a very bad thing if the British public were to discover that one of their most trusted nationalised industries could be so easily compromised by a schoolkid!

In the end, I was given a conditional discharge in a closed court, the condition being that I went to work for the company involved to help them secure their systems. I've been working in the IT security industry ever since, working on keeping the bad guys out of important bits of our critical national infrastructure. The funny thing is; I didn't know anything about the subject at the time I got caught - the modem number was 2 digits away from the main switchboard number and had no password!

If I'd have been convicted and punished as the authorities originally wanted, I wonder what kind of contribution to society I'd be making now?

Hackers are vandels

I can't stand this posturing that hackers are doing us a favour by showing how lax security is. It's like some coming round to my house, breaking a back door window, reaching in, opening the door, rumaging around my possessions and saying "Look mate, I'm doing you a favour by showing you how lax your securiry was and I was just looking around to see if you had any evidence on UFOs. It's lucky for you that I'm not a crook".

They cause milliions of pounds of damage. Well Mr. McKinnon I hope you are locked away for a few years. You are no worse than a petty vandel who breaks into a shop and trashes it.

@Chris C

Please remember that these machines should have been secure in the first place!

Damage done was necessitated by the fact that the configuration of these machines were incompetent and the acts the US have taken is more in the order of vindictive spite for showing this incompetence than any real damage.

Most of the work undertaken after the fact is work that should have been done. If it had been done and they had to do it again, then *maybe* they could argue for the cost. The cost is made up so that they can show it criminal in extent which allows them to demand without proof the guilty party. Pure sophistry.

Typical

He knew very well if he was to get caught, he would have to face the music.

The next time you feel like defending a hacker. Think how easily one can get into your system, hide a folder on your hard drive, fill it with pictures of child pornography, send out some mail containing a few pictures. Then to be really nasty, he makes a few phone calls to the authorities and gives them a tip that you collect, distribute, and solicit child porn.

Apparently it is your own fault that you allowed this, so you should be prosecuted.

Quit making this about one country vs. another (only impotent morons use this to compensate for their own short comings). If the situation was reversed, you would want him to hang from the ferris wheel next to the Thames.

Fact is, he broke the law and caused damage. The damage was in the US, therefore it falls in its jurisdiction. He has nobody to blame but himself.

We need a Stevie Wonder avatar; because even he could see this guy is a twit.

so what did he really do and admit to?

If, as seems to be pointed out, he has admitted to breaking into gov'mnt computers and doing anything; then he should face whatever punishment for the breaking the subsequent cleanup required. Whether this as much as claimed is up for the courts to decide. I doubt very much he needs to be extradited to get a fair trial and sentencing.

If someone in the government left the computers open, fire them.

If, as Pass the blame By Dark, says, I leave the door open or off the hinges for that matter; it still give NO ONE the right to just willy-nilly wander into my home and have about. Trespass is still trespass and you don't want to be the one doing it or get caught doing it.

Spineless UK Government

He committed the offence in the UK, and we have rules against extraditing people to countries where they may face torture or death --- both possibilities in the good old USA. The problem is that new labour have signed away UK rights one by one until between the USA and Brussels they may as well just shut down the UK courts.

He should have been tried here under our anti hacking laws long ago; it was the dumb Americans who blew it all out of proportion and made him a media figure.

Please don't paint all Americans with the same brush

I would hope our friends (and yes, a vast majority Americans consider the United Kingdom our friends and feel we owe the UK a great debt as you had a lot to do with the shaping of this country) in the UK and elsewhere in the world understand that, like their own countries, the government of the USA doesn't always represent the feelings of all Americans or even a majority of Americans. Quite a few Americans are less that proud of our governments actions over the past few years but push us and we have no choice but to circle the wagons. The USA has it share of idiots and dolts, like all countries, and sometimes they get the most attention because they yell the loudest, but that doesn't mean the represent the majority of Americans. Also keep in mind that we, the USA, are going through a rough patch at the present, as all countries do from time to time, but I do hope and believe that things will return to a more respectable path soon, maybe January 20th, 2009. At the same time we will protect ourselves if we feel threatened, just like any country has the right to, regardless of what other countries think, also like any other country.

As the the story in question, in particular, I would certainly hope that this man doesn't get extradited as he sounds more in need of counseling than prison. In general, I do not think any country should ever allow one of it's citizens to be extradited, to the USA or anywhere. One country should be allowed file briefs in court about a crime that occurred in it's territory and maybe have other parts to play in a trial. Diplomatic resources can always be brought to bear if one country thinks another country is not dealing with a citizen that committed a crime in the first countries territory.

@AC "so what did he really do and admit to? "

No trespass laws in Scotland. So if you were up there and just wandered into someone's home that wasn't locked that's not an offence.

@Aodhhan

The problem is that he wasn't committing the crime in that country. If he was in the US, hacked in there and then flew back to the UK it'd be pretty much open-and-shut.

He'd still not be extradited as your politicians have said they'd see him burn so it would break the "no extraditing to a likely death penalty" rules. But at least it'd get rid of a lot of the controversy surrounding the case.

However, he didn't. He was in the UK and hacked the US machine. By "hacked" I mean he found an unguarded entrance and wandered in for a look around. He didn't even have to guess at a password- there wasn't even an "admin / password" combination to attempt.

So he should be tried under UK law as the law was broken from the UK. As someone above has said, if I broadcast a TV signal from the UK that's illegal in France I can't be punished under French law.

And this guy just sent a signal from the UK to the US- but because it was sent from the UK it's UK problem. The US just want (rather disproportionate) vengence and to save face rather than to stop him re-offending or make him a useful member of society again (as is the aim of any rational punishment).

Just thinking- wouldn't the lack of passwords suggest an implied consent to access the computer? Otherwise going to Google- unless you've written approval from them- means you're breaking the law.

The other question is who the hell removed the security passwords on the computers at the Pentagon?! And how many tens of thousands of volts (or years of "community service" in Guantanamo) are they going to get?

user name admin password admin

Correct me if I'm wrong here but we are talking about a guy who used scripts to test equipment and services for default password settings in the networks of major US three letter agencies?

The "damage" costs amount to the cost of forcing their own admins to go around removing the defaults in the "compromised" systems.

If I were the <insert agency here> I would be looking at taking my own admins to trial and employing McKinnon full time to ensure newly installed equipment and services had at least been secured at least at the level of having password protection.

Surely this is about covering up the embarassment of a host of multi billion dollar agencies rather than prosecuting a "malicious terrorist"

@3X2

@3X2

Why are you an apologist for an illegal act? It is that attitude that encourages these people to try to hack into systems. I agree that they should be secure but who gave him the mandate to test the system? It's the same as throwing a brick through a window and telling the owner that his glass should be stronger and then wants recognition of what a valuable service he provides.Tell you what, you get in a plane and I'll try to hack into a air traffic control system while you're in the congested space over London. Now tell me that I'm not doing the world a favour by exposing flaws and holes. These people create real problems and real loses and should be punished not praised.

Prosecuting the wrong person

Extradition

First of all...

the death penalty can only be handed out for 2 things. 1st Degree Murder and High Treason.

Hacking into a computer system doesn't qualify for either.

Second...

He didn't access any classified information. The department of defense does not have their classified network accessible from the public internet. He only gained access to what is known as NIPRNet. This is an unclassfied DoD network which has connections to the Internet; obviously necessary for communications for non-DoD interests.

Third... There are many crimes you can do where you are in one jurisdiction, yet harm is done in another. When this is the case, the court where HARM WAS DONE (ie the US) has jurisdiction.

There are way too many things about this story which seem a bit outlandish, don't you think? If it doesn't pass the laugh test, then it probably isn't true. Don't believe everything you hear, especially if you hold a prejudice. Use your brain, be critical, and think. Those who don't are more idiotic and irresponsible than anyone they accuse.